Currently, the widespread diffusion of intelligent objects connected to the Internet and continuously interacting with people is a fact. However, such a paradigm has a side effect in terms of privacy and security: personal data and the control of critical devices (eg. boiler, air conditioning, video surveillance, controlled gates, ...) are often demanded to home automation systems, often managed by non-expert users and, consequently, likely exposed to multiple security threats. This article follows a research line that aims to offer a systematic way to identify threats in the Internet of Things systems, and consequently plan penetration testing procedures, automated as much as possible, that outline possible security holes and help to gain awareness on the issues related to this new technologies. In this paper, we addressed a typical home system, the Open Energy Monitor, to demonstrate our methodology. In this analysis we focus on the MQTT protocol, commonly used for communication between IoT devices, proposing a complete Threat Model for this protocol. The main innovative contribution of this paper relates to the catalog of threats made available for MQTT-based devices (highly reusable in different environments) and on the planning of penetration tests, that relies on the adoption of a cyber threat intelligence database that collects common attack patterns, offered by MITRE.
Threat Modeling based Penetration Testing: The Open Energy Monitor Case study / Salzillo, G.; Rak, M.; Moretta, F.. - (2020), pp. 1-8. (Intervento presentato al convegno 13th International Conference on Security of Information and Networks, SIN 2020 tenutosi a tur nel 2020) [10.1145/3433174.3433181].
Threat Modeling based Penetration Testing: The Open Energy Monitor Case study
Rak M.;
2020
Abstract
Currently, the widespread diffusion of intelligent objects connected to the Internet and continuously interacting with people is a fact. However, such a paradigm has a side effect in terms of privacy and security: personal data and the control of critical devices (eg. boiler, air conditioning, video surveillance, controlled gates, ...) are often demanded to home automation systems, often managed by non-expert users and, consequently, likely exposed to multiple security threats. This article follows a research line that aims to offer a systematic way to identify threats in the Internet of Things systems, and consequently plan penetration testing procedures, automated as much as possible, that outline possible security holes and help to gain awareness on the issues related to this new technologies. In this paper, we addressed a typical home system, the Open Energy Monitor, to demonstrate our methodology. In this analysis we focus on the MQTT protocol, commonly used for communication between IoT devices, proposing a complete Threat Model for this protocol. The main innovative contribution of this paper relates to the catalog of threats made available for MQTT-based devices (highly reusable in different environments) and on the planning of penetration tests, that relies on the adoption of a cyber threat intelligence database that collects common attack patterns, offered by MITRE.| File | Dimensione | Formato | |
|---|---|---|---|
|
MQTT_Camera_Ready.pdf
non disponibili
Licenza:
Non specificato
Dimensione
1.06 MB
Formato
Adobe PDF
|
1.06 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
